Researchers have found multiple holes in Android phones’ permissions-based security that would allow a hacker to snatch data, monitor geolocation, send SMS messages, and even eavesdrop on conversations.

A group of security researchers from North Carolina State University found the glitches in eight handsets from HTC, Motorola, Samsung and Google.

The researchers found “explicit capability leaks” that would allow hackers to bypass key security defenses of Android that require users to grant permission to apps before those apps gain access to personal information and functions such as texting.

The glitchy code lies within interfaces and services added by the phone manufacturers to beef up stock firmware from Google.

In this paper, we systematically study eight popular Android smartphones from leading manufacturers, including HTC, Motorola, and Samsung and are surprised to ﬁnd out these stock phone images do not properly enforce the permission-based security model. Speciﬁcally, several privileged (or dangerous) permissions that protect access to sensitive user data or phone features are unsafely exposed to other apps which do not need to request these permissions for the actual use.

These capability leaks constitute “a tangible security weakness for many Android smartphones in the market today,” they said.

And, they added, the snazzier the phone, the buggier the picture, given that the more pre-loaded apps are present, the more likely the gadget is to have explicit capability leaks.

These are the eight Android smartphones they tested and found to be at risk:

HTC:
* Legend
* EVO 4G
* Wildfire S

Motorola:
* Droid
* Droid X

Samsung:
* Epic 4G

Google:
* Nexus One
* Nexus S

As if all this weren’t grim enough, the researchers note that the tool they’re using to validate the smartphones, which they’ve dubbed Woodpecker, has a number of limitations.

For one, Woodpecker doesn’t handle native code; it only handles bytecode from Dalvik, the process virtual machine in the Android operating system that runs Android apps.

Woodpecker is also limited to handling 13 defined permissions, although many more exist, and apps are free to deﬁne new ones.

“Extending the system to handle more predeﬁned permissions is expected to produce much the same results,” the researchers say.

Not enough? There’s more.

Adding support for app-deﬁned permissions will lead to another class of capability leaks altogether: namely, chained capability leaks, where a permission might be safely passed from one app to a second app, which then unsafely passes it on along to a third app.

Another rug to lift to look for more bugs is among third-party apps, given that the security researches only examined pre-loaded apps in the smartphones’ ﬁrmware.

The researchers note that capability leaks — particularly explicit ones — on phone images “are of great interest to malicious third parties.” Implicit leaks are fairly rare, they say, and more likely tied to software engineering defects than constituting actual security risks.

But implicit leaks could be due for their day in the sun when it comes to third-party apps, since they could open the smartphones up to “collusion attacks,” the researchers said.

A cohort of seemingly innocuous apps could conspire together to perform malicious activities and the user may not be informed of the true scope of their permissions within the system.

Wasn’t it just last week that Google’s Open Source Programs Manager, Chris DiBona, was railing against vendors of Android anti-virus software (and any minion scurrilous enough to work for one), summing up the ragged lot as being likely “charlatans and scammers?”

Yes, yes, I do believe it was last week that Mr. DiBona told such “scammers” that if they worked selling virus protection “for android, rim or IOS you should be ashamed of yourself [sic].”

Should the North Carolina State University researchers, Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang, bow their heads and slink home in shame for finding the current crop of Android bugs?

Well, if their cheeks do burn red, I hope they don’t slink out of sight before they present their paper and roll out an even better version of Woodpecker.

Post navigation

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.

This article states that "Android" has security glitches yet the researchers noted, "The glitchy code lies within interfaces and services added by the phone manufacturers to beef up stock firmware from Google." A lot of contradiction

So? The net effect is that users of such devices need to pull their heads from the safe confines of their nether regions, and accept they too are vulnerable to attack. Funny really, given the recent rant about andriod specific antivirus software by google!

There are security risks associated with ANY AND ALL systems. It is just a fact of life that people are not perfect and you should assume any complex system has flaws. You just have to pick a system to use and accept that there are risks. In choosing a system you look what is available and make a decision on if you want to trust that system and how far you want to trust it. I would never fully trust a system to be “perfectly secure”.

I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained!There are tons of blogsites that simply make stupid information,but yours are different , I am so happy to read your posts :)